Profiler analyzes the enemy

Researcher examines motive, family background of average virus creator

By William Jackson

GCN Staff

An innocent user whose system catches a computer virus envisions the virus creator as an antisocial malcontent with purple hair and pierced nose, living in his parents' basement.

But that's not the real picture. According to Sarah Gordon, an antivirus researcher at IBM Corp.'s Thomas J. Watson Research Center, most virus writers are intelligent, have good relationships with their parents and peers, and usually test within normal ranges for ethical development.

Gordon has made a name for herself profiling the virus underground. She cautioned against generalizations about the fluid subculture, but at the recent Black Hat Briefings in Las Vegas, she said most virus writers do outgrow their behavior and never produce any very damaging viruses. There is, however, a growing number of older, more technologically savvy writers.

'We are going to see payloads that do really bad things,' she said.

Virus writers discovered the Internet well after their hacker cousins, Gordon said. They found the Net made it easier to share information and code, which raises the risk of more infections such as the recent Melissa epidemic, she said.

'Viruses are back,' agreed Jeff Moss, Black Hat organizer and director of security assessment for Secure Computing Corp. of Roseville, Minn. Future viruses will be more intelligent and will react to their environments, spreading more rapidly and doing more damage, he said.

Family tree

Gordon began her research in 1994 and updated 'The Generic Virus Writer,' her study of four virus authors, two years later. She investigated about 100 people, verifying their information through follow-up interviews with family, friends and other sources.

Although profiling is an inexact science, Gordon said, she does not regard virus writers as hackers. 'They are two very distinct communities with different skill sets,' she said.

The virus underground originated in the late 1980s with dial-up electronic bulletin boards for posting and exchanging code. The users were geographically fragmented. Bulgaria and Canada became early hotbeds of virus writing, and later Australia and Scandinavia predominated, Gordon said. Virus code generally had to be downloaded from a BBS or distributed on disk, so that out of 3,200 known viruses in 1993, only 71 were out in the wild.

Not until 1996 did the Web become a medium for virus exchange, Gordon said. Although the writers are now more global and have better tools, they have changed very little. Most are young, male and well-adjusted, and most of their code remains caged, she said. Although the number of known viruses had increased tenfold to 32,000 by this year, only 151 flourished in the wild.

As ethical standards and notions of right and wrong mature, most of the young writers grow out of their misbehavior and are replaced by other youngsters, she said. For that reason, the community continues to reinvent the wheel rather than evolve.

But Gordon said the older and more technically competent members, or new-age virus writers, as she has dubbed them, operate openly and regard virus writing as a form of research or self-expression.

Gordon ridiculed the idea that writing viruses serves a legitimate research. 'I can't deny that viruses are interesting,' but uncontrolled experimentation on unwitting subjects is not research, it is merely self-indulgence, she said.